Closed Bug 1382977 Opened 7 years ago Closed 7 years ago

Crash in CContext::ID3D11DeviceContext1_SetShaderResources_<T>

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Version:
56 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1382829
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-c9a2d8c5-60dd-4436-9602-cd4d60170720.
=============================================================
Crashing Thread (4)
Frame 	Module 	Signature 	Source
0 	d3d11.dll 	CContext::ID3D11DeviceContext1_SetShaderResources_<5, 4>(ID3D11DeviceContext1*, unsigned int, unsigned int, ID3D11ShaderResourceView* const*) 	
1 	xul.dll 	mozilla::layers::MLGDeviceD3D11::SetPSTextures(unsigned int, unsigned int, mozilla::layers::TextureSource* const*) 	gfx/layers/d3d11/MLGDeviceD3D11.cpp:1684
2 	xul.dll 	mozilla::layers::MLGDevice::SetPSTexturesYUV(unsigned int, mozilla::layers::TextureSource*) 	gfx/layers/mlgpu/MLGDevice.cpp:232
3 	xul.dll 	mozilla::layers::VideoRenderPass::SetupPipeline() 	gfx/layers/mlgpu/RenderPassMLGPU.cpp:790
4 	xul.dll 	mozilla::layers::ShaderRenderPass::ExecuteRendering() 	gfx/layers/mlgpu/RenderPassMLGPU.cpp:314
5 	xul.dll 	mozilla::layers::RenderViewMLGPU::ExecutePass(mozilla::layers::RenderPassMLGPU*) 	gfx/layers/mlgpu/RenderViewMLGPU.cpp:468
6 	xul.dll 	mozilla::layers::RenderViewMLGPU::ExecuteRendering() 	gfx/layers/mlgpu/RenderViewMLGPU.cpp:421
7 	xul.dll 	mozilla::layers::FrameBuilder::Render() 	gfx/layers/mlgpu/FrameBuilder.cpp:107
8 	xul.dll 	mozilla::layers::LayerManagerMLGPU::RenderLayers() 	gfx/layers/mlgpu/LayerManagerMLGPU.cpp:374
9 	xul.dll 	mozilla::layers::LayerManagerMLGPU::Composite() 	gfx/layers/mlgpu/LayerManagerMLGPU.cpp:317
10 	xul.dll 	mozilla::layers::LayerManagerMLGPU::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) 	gfx/layers/mlgpu/LayerManagerMLGPU.cpp:276
11 	xul.dll 	mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) 	gfx/layers/ipc/CompositorBridgeParent.cpp:1041
12 	xul.dll 	mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) 	gfx/layers/ipc/CompositorVsyncScheduler.cpp:262
13 	xul.dll 	mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler* const, void ( mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), 1, 1, mozilla::TimeStamp>::Run() 	obj-firefox/dist/include/nsThreadUtils.h:1187
14 	xul.dll 	MessageLoop::RunTask(already_AddRefed<nsIRunnable>) 	ipc/chromium/src/base/message_loop.cc:443
15 	xul.dll 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) 	ipc/chromium/src/base/message_loop.cc:451
16 	xul.dll 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc:526
17 	xul.dll 	base::MessagePumpForUI::DoRunLoop() 	ipc/chromium/src/base/message_pump_win.cc:212
18 	xul.dll 	base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpWin::Dispatcher*) 	ipc/chromium/src/base/message_pump_win.cc:56
19 	xul.dll 	base::MessagePumpWin::Run(base::MessagePump::Delegate*) 	ipc/chromium/src/base/message_pump_win.h:80
20 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:313
21 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:293
22 	xul.dll 	base::Thread::ThreadMain() 	ipc/chromium/src/base/thread.cc:181
23 	xul.dll 	`anonymous namespace'::ThreadFunc 	ipc/chromium/src/base/platform_thread_win.cc:28
24 	kernel32.dll 	BaseThreadInitThunk 	
25 	mozglue.dll 	patched_BaseThreadInitThunk 	mozglue/build/WindowsDllBlocklist.cpp:815
26 	ntdll.dll 	__RtlUserThreadStart 	
27 	ntdll.dll 	_RtlUserThreadStart

crash reports with this signature first started up on 56.0a1 build 20170718030207 when advanced layers were enabled for win7 in bug 1379731. three quarters of the reports show crashes happening in the gpu process, the rest in the main browser process.

a number of crash reports have an address indicating a UAF situation, so i'll mark this bug as security sensitive.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Al, this was fixed in nightly in bug 1382829, which is marked as a sec-critical issue and un-hidden, back in July. Does this need a security advisory for 56?
Flags: needinfo?(abillings)
Liz, 55 was unaffected so we never shipped the issue to the public. As such, it won't be going into any advisories.
Flags: needinfo?(abillings)
Group: core-security
You need to log in before you can comment on or make changes to this bug.